0

We have several sensitive fields in our database which need to be prevented from entering the Java string pool. All are VARCHAR in the database and we use StringBuilders in our code to prevent them from being put in the constant pool.

We use MyBatis to interact with the database and I'm currently trying to implement a typehandler which I'm attempting to use setObject to map StringBuilder to Varchar to.

I'm wondering if this is possible and, if it is, are there other areas between MyBatis and the JDBC which mean that the VARCHAR not ending up in the String pool cannot be guaranteed? ( Casts in the code, statements coming as strings, that kind of thing )

I've asked the question on the mybatis-users google group as well but so far nobody has been able to help there

Edit - I should clarify that this isn't strictly about the string pool, it's about controlling where the data is on the heap and erasing the data from the mutable CharSequence as soon as possible by overwriting with nulls. The strings absolutely cannot go into the pool but simply nulling a string which is not in the pool can still lead to security issues due to how garbage collection works.

LiamRyan
  • 1,892
  • 4
  • 32
  • 61
  • String will end up in string pul only if it is constant in code or `intern` method was called. So I don't think you must worry about this. – talex Aug 30 '16 at 13:34
  • According to best practices you should ensure that the string is in something on the heap and is overwritten as soon as possible so even if it's not in the constant pool if there's a reference that is not immediately overwritten it still causes issues if a heapdump is generated. If it's set to null it may still be present due to how garbage collection works – LiamRyan Aug 30 '16 at 13:36
  • In this case you better use `char[]` because you can simple overwrite data. And also I little jealous because I never work with such high security levels. – talex Aug 30 '16 at 13:39
  • I'm using StringBuilder which internally uses a mutable CharSequence so it's pretty much the same thing, however this question is about whether mybatis and/or jdbc use immutable strings regardless of typehandler at some point in the process – LiamRyan Aug 30 '16 at 13:42
  • It may lead to potential leaks because internal buffer in case of relocation will not be cleared. – talex Aug 30 '16 at 13:51

1 Answers1

2

Not sure that this will help, but here goes.

First, create a customer TypeHandler (extend org.apache.ibatis.type.BaseTypeHandler or implement org.apache.ibatis.type.TypeHandler) to handle your column.

Instead of the "standard" varchar to String implementation:

@Override
public String getNullableResult(ResultSet rs, int columnIndex)
throws SQLException
{
    return rs.getString(columnIndex);
}

implement this

@Override
public StringBuilder getNullableResult(ResultSet rs, int columnIndex)
throws SQLException
{
    final StringBuilder returnValue = new StringBuilder();
    final byte[] value = rs.getbytes(columnIndex);

    // add the bytes to the StringBuilder.

    return returnValue;
}

Once you implement the entire TypeHandler interface, you will need to register your type handler and configure it for the desired column.

Here is a reference page

DwB
  • 37,124
  • 11
  • 56
  • 82
  • Thanks it helps as far as the typehandler goes, I did something similar but with characterstream, now I just have to figure out why I get invalid column type exceptions when setters are called – LiamRyan Aug 31 '16 at 15:01
  • consider another stack overflow question. also, as a trouble shooting technique, change the type of your setter parameter to Object then print the parameter class name. for example, `public void setterName(final Object newValue) { System.out.println(newValue.getClass().getName()); } ` – DwB Aug 31 '16 at 17:36